GDPR Compliance

Your rights under the General Data Protection Regulation and our commitment to data protection.

Last updated: September 21, 2025

1. Our Commitment to GDPR

Spacekit.io is committed to protecting the privacy and personal data of all individuals, especially those within the European Union. We comply with the General Data Protection Regulation (GDPR) and have implemented appropriate technical and organizational measures to ensure the security and lawful processing of personal data.

Key GDPR Principles We Follow

  • Lawfulness, fairness and transparency: We process data lawfully, fairly, and transparently
  • Purpose limitation: We collect data for specified, explicit, and legitimate purposes
  • Data minimization: We process only data that is adequate, relevant, and limited to what is necessary
  • Accuracy: We keep personal data accurate and up to date
  • Storage limitation: We keep data only as long as necessary
  • Integrity and confidentiality: We ensure appropriate security of personal data
  • Accountability: We demonstrate compliance with GDPR principles

2. Legal Basis for Processing

We process personal data based on one or more of the following legal bases:

2.1 Consent (Article 6(1)(a))

For activities such as:

  • Marketing communications and newsletters
  • Non-essential cookies and tracking
  • Personalized advertising
  • Optional data collection for service improvement

2.2 Contract Performance (Article 6(1)(b))

For activities necessary to fulfill our contract with you:

  • Providing brand creation services
  • Account management and customer support
  • Payment processing and billing
  • Delivering brand assets and project files

2.3 Legitimate Interest (Article 6(1)(f))

For activities where we have a legitimate business interest:

  • Website analytics and performance monitoring
  • Fraud prevention and security measures
  • Business development and service improvement
  • AI model training using anonymized data

2.4 Legal Obligation (Article 6(1)(c))

For compliance with legal requirements:

  • Tax and accounting record keeping
  • Regulatory compliance and reporting
  • Law enforcement cooperation when required

3. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

3.1 Right of Access (Article 15)

You have the right to obtain confirmation whether we process your personal data and, if so, access to the personal data along with specific information about the processing.

How to exercise: Email us at privacy@spacekit.io with subject "Data Access Request"

Response time: Within 1 month (may be extended by 2 months for complex requests)

3.2 Right to Rectification (Article 16)

You have the right to obtain rectification of inaccurate personal data and to have incomplete personal data completed.

How to exercise: Log into your account or email privacy@spacekit.io

Response time: Without undue delay

3.3 Right to Erasure ("Right to be Forgotten") (Article 17)

You have the right to obtain erasure of personal data concerning you under certain circumstances, including when the data is no longer necessary for the original purpose.

How to exercise: Email us at privacy@spacekit.io with subject "Data Deletion Request"

Note: Some data may need to be retained for legal compliance

3.4 Right to Restrict Processing (Article 18)

You have the right to obtain restriction of processing under certain circumstances, such as when you contest the accuracy of personal data.

3.5 Right to Data Portability (Article 20)

You have the right to receive personal data concerning you in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

How to exercise: Email us at privacy@spacekit.io with subject "Data Portability Request"

Format: JSON or CSV format

3.6 Right to Object (Article 21)

You have the right to object to processing of personal data based on legitimate interests or for direct marketing purposes.

Direct marketing: Unsubscribe links in emails or email privacy@spacekit.io

Other processing: Email privacy@spacekit.io with specific objection details

3.7 Rights Related to Automated Decision Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or significantly affects you.

4. How to Exercise Your Rights

4.1 Contact Information

Data Protection Officer

Email: dpo@spacekit.io

Email: privacy@spacekit.io

Address: [Company Address]

Phone: [Phone Number]

4.2 Required Information

When making a request, please provide:

  • Your full name and email address associated with your account
  • Clear description of the right you wish to exercise
  • Any specific information or data you're referring to
  • Proof of identity (copy of ID document) for security purposes

4.3 Response Times

We will respond to your request:

  • Initial acknowledgment: Within 72 hours
  • Full response: Within 1 month of receipt
  • Complex requests: May be extended by 2 additional months with explanation
  • Free of charge: Unless requests are manifestly unfounded or excessive

5. Data Transfers Outside the EU

When we transfer personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:

  • Adequacy decisions: Transfers to countries with adequate data protection
  • Standard Contractual Clauses (SCCs): EU-approved contract terms with third parties
  • Binding Corporate Rules: For transfers within multinational organizations
  • Consent: Explicit consent for specific transfers when appropriate

6. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) when our processing activities are likely to result in high risk to individuals' rights and freedoms. This includes:

  • New AI model implementations that process personal data
  • Large-scale processing of special categories of data
  • Systematic monitoring of public areas
  • Innovative technologies that may impact privacy

7. Data Breach Procedures

In the event of a personal data breach, we will:

  • Notify supervisory authority: Within 72 hours of becoming aware (if likely to result in risk)
  • Notify affected individuals: Without undue delay (if likely to result in high risk)
  • Document the breach: Include facts, effects, and remedial action taken
  • Investigate and remediate: Take immediate steps to address the breach

8. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates GDPR. You can contact:

  • Your local data protection authority in your EU member state
  • The lead supervisory authority where we have our main establishment
  • Any supervisory authority where you habitually reside, work, or where an alleged infringement occurred

File a Complaint

If you're not satisfied with how we handle your data protection concerns, you can file a complaint with your local data protection authority. This right is in addition to any other administrative or judicial remedies.

9. Children's Data Protection

We take special care to protect children's personal data. For children under 16 (or the applicable age in their member state), we require verifiable parental consent for processing personal data. We do not knowingly collect data from children under 13.

10. Regular Review and Updates

We regularly review our GDPR compliance measures and update our procedures as necessary. This includes:

  • Annual privacy impact assessments
  • Regular staff training on data protection
  • Ongoing monitoring of data processing activities
  • Updates to policies and procedures as laws evolve

Questions About GDPR?

If you have any questions about GDPR compliance or how we protect your personal data, please don't hesitate to contact our Data Protection Officer at dpo@spacekit.io. We're here to help ensure your privacy rights are protected.